We are using SonarQube Enterprise Edition v2025.6.1 (117629).
I am converting results from GitLab Application Security Analyzer into SonarQube Generic Formatted Reports.
This works fine for the most part, but GitLab Application Security Analyzer generates Markdown in the issue description. This Markdown is not rendered to HTML by SQ. Here is an example rule:
{
"cleanCodeAttribute": "CONVENTIONAL",
"description": "The `unsafe` package in Go allows low-level access to memory management features.\nThis includes pointers and direct access to memory. The Go compiler will no longer\nbe able to enforce type safety when working with the `unsafe` pointer types.\n\nWhile powerful, access to these functions can lead to many security related issues\n such as:\n\n- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which\ncan lead to code execution.\n- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which\ncan lead to code execution.\n- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)\nwhich can leak sensitive information, including data which can\ndefeat other protection mechanisms or cause the system to run out of memory.\n\nUnless required, all calls to the `unsafe` package should be removed.\n",
"engineId": "GitLab SAST Analyzer",
"id": "fd32e8258eb083090b23b39b2f82469fc4b8e1d5ea994ca242d836ef111e4f6e",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"name": "Use of inherently dangerous function (unsafe package)",
"severity": "CRITICAL",
"type": "VULNERABILITY"
}
Here is how that looks in SQ:
I could render Markdown to HTML, but I’m pretty sure that won’t fly for security reasons.